HackInParis 2018 training

Smart lockpicking - hands-on exploiting flaws in IoT devices based on electronic locks and access control systems



You can, quite reasonably, expect smart locks and access control systems to be free from alarming security vulnerabilities - such a common issue for an average IoT device. Well, this training will prove you wrong. After performing multiple hands-on exercises with a dozen of real devices and various technologies, you will never look at the devices the same way.

During this course students will perform: wireless sniffing, spoofing, cloning, replay, DoS, authentication and command-injection attacks. Practical exercises will include investigating proprietary network protocols, demystifying and breaking “military grade encryption”, abusing excessive services, intercepting wireless remote controls, brute-forcing PINs via voice calls and attacking building automation systems. The offensive exercises will teach you how to analyze the devices' security, and the best practices guidelines will help to design them properly.

The software activities will be mixed with short entertaining tricks, including opening a lock by a strong magnet, counterfeiting fingerprints in a biometric sensor or opening voice-controlled lock by remotely hacking speaker-enabled devices. Several tasks will be associated with electromagnetic lock guarding a special vault. Whenever a student will succeed in hacking the lock, the box opens automatically, and one can have hidden reward.

Covering lots of various topics and technologies (including NFC, Bluetooth Smart, Linux embedded, Wiegand, WiFi, P2P, SDR, GSM, KNX, …) guarantees that regardless if you are a beginner or a skilled pentester, you will learn something new and have a good time. The training includes a hardware pack (over 100 EUR value) for each student, consisting of preconfigured Raspberry Pi, NFC board, RTL-SDR dongle and Bluetooth Low Energy sniffer. The hardware will introduce you to the world of RF analysis, allow you to crack and clone NFC cards, sniff and analyse Bluetooth Low Energy connections.


  • At least basic familiarity with Linux command-line, Kali, Wireshark.
  • Scripting/programming skills will be very helpful.

Target audience

  • Pentesters, security professionals
  • IoT developers
  • Anyone interested

Material to bring by attendees

  • Laptop capable of running Kali Linux in VM and USB port.
  • Android smartphone with BLE and NFC support will be very helpful.
  • You can bring your own BLE device or NFC card to verify its security.

Course syllabus

1. NFC

UID-based access control - practical exercises on example reader + door lock

  • UID lengths, formats
  • clone Mifare UID using “Chinese magic” card and provided hardware
  • how to emulate contactless cards and unlock UID-based system using just a smartphone (Android, iOS), without any additional hardware
  • how to clone a card by making its picture - decoding numbers printed on cards
  • emulate card using Proxmark, Chameleon Mini
  • brute-force - is it possible in practice to guess other cards UID?
  • countermeasures against attacks

Wiegand - wired access control transmission standard

  • sniff the data transmitted from access control reader using Raspberry Pi GPIO
  • decode card UID from sniffed bytes, clone the card
  • replay card data on the wire to open lock
  • available Wiegand sniffers/repeaters

Mifare Classic & its weaknesses - practical exercises based on hotel door lock system, ski lift card, bus ticket

  • Mifare Classic - data structure, access control, keys, encryption
  • default & leaked keys
  • reading & cloning card data using just a mobile phone
  • cracking keys - nested, darkside attacks
  • libnfc tools - mfoc, mfcuk, MiLazyCracker
  • cracking Mifare using provided hardware

Reverse-engineering data stored on card

  • decoding access control data (room number, date) stored on card by an example hotel system
  • creating hotel „emergency card” to open all the hotel doors unconditionally

Mifare Ultralight

  • data structure
  • reading, cloning, emulating
  • example data stored on hotel access card

Introduction to Proxmark, Low Frequency cards (EM4100, HID Prox).

Summary of known attacks and security issues of Mifare Plus, DESFire, Ultralight C, HID iClass …

2. Bluetooth Smart (Low Energy)

based on multiple devices (including 7 various smart locks) and tools developed by the trainer: GATTacker BLE MITM proxy and deliberately vulnerable Hackmelock (consisting of Android mobile application and lock device simulated on Raspberry Pi).

Theory introduction

  • What is Bluetooth Smart/Low Energy/4.0, how it is different from previous Bluetooth versions?
  • Usage scenarios, prevalence in IoT devices
  • Protocol basics
  • Advertisements, connections
  • Central vs peripheral device
  • GATT - services, characteristics, descriptors, handles
  • Security features - pairing/encryption, whitelisting, MAC randomization
  • Security in practice: own crypto in application layer
  • Hardware required for BLE assessment

BLE advertisements and beacons

  • iBeacon, Eddystone, Physical Web
  • Simulating beacons - using mobile phone, Linux scripts, other devices.
  • How to get free beer by abusing beacon-based reward application
  • scanning for visible devices, hcitool, bleah, GATTacker, …
  • decoding data in advertisements
  • advertisement spoofing - Denial of Service, device impersonation

Sniffing BLE connections using RF layer hardware

  • Ubertooth, nRF sniffer, other hardware
  • Wireshark filters, tips&tricks
  • sniffing static cleartext password of a smart lock and other devices using provided hardware

HCI dump (Linux, Android) - setup, analysis, difference from RF-layer sniffing, replay/fuzzing possibilities.

Attacking services exposed by devices

  • mapping device services and characteristics
  • interacting with devices that do not require pairing/authentication
  • example unlocked AT command interface via BLE service of a smart lock

Device spoofing, active MITM interception

  • how to perform “man in the middle” attack on BLE connections
  • available tools: GATTacker, BtleJuice.
  • MAC address cloning
  • analysing intercepted traffic
  • Denial of Service attacks

Replay attacks

  • intercept transmission
  • analyse authentication protocol weakness in example smart lock
  • perform replay using tools or a mobile phone, and unlock the device

Mobile application analysis, attacks on proprietary authentication and protocols

  • decompile Android app, locate relevant source code fragments
  • understand proprietary BLE communication protocol - commands, data exchanged with device
  • based on example smart lock, discover protocol weakness, create exploit to open the lock without knowing current password or prior sniffing
  • exploit the vulnerability using just a mobile phone - nRF Connect macros
  • verify other vendor’s claims on “Latest PKI technology” and “military grade encryption”

Relay attacks - abusing automatic proximity features (e.g. smart lock autounlock).

Remote access share functions and their weaknesses - how to bypass timing restrictions.

How to create own, independent server-side API for device - based on a real smart lock vendor, which disappeared and shut the servers, effectively rendering the device e-waste.

Introduction to Web Bluetooth, Bluetooth Mesh, Bluetooth 5.0

BLE Hackmelock - open-source software emulated device with multiple challenges to practice at home.

BLE best practices and security checklist - for security professionals, pentesters, vendors and developers.

3. Linux embedded

based on wireless door lock, alarm+home automation system and other devices:

  • authentication bypass
  • information disclosure
  • telnet brute-force
  • OS command injection

4. Proprietary network protocols

based on fingerprint sensor device, wireless door lock, alarm system, HVAC controller

  • various approaches to analyzing proprietary protocols
  • step-by-step understanding packets and attacking remote management binary communication of fingerprint sensor
  • sniffing and decoding administrative credentials
  • abusing improper session management (authentication bypass)
  • unlock wireless alarm with a single packet
  • P2P communication - how to attack devices hidden behind NAT

5. KNX home automation

an example installation connected to electromagnetic lock

  • theory introduction, typical architecture, group address, device address…
  • tools: ETS configuration suite vs open-source knxd, knxmap, nmap scripts - how to locate and connect to KNX-IP gateway in LAN or remotely
  • monitor mode - sniffing the bus communication
  • write command to group address and open lock

6. SMS and DTMF remote control over GSM

based on remote control alarm system

  • theory introduction to GSM interception
  • brute-force alarm administrative PIN via automated remote SMS and voice calls from the cloud API

7. RF remote control

how to disarm alarm using wire connected to Raspberry Pi - Software Defined Radio - tools and hardware

  • identifying specified signal, its frequency and characteristics
  • recording radio data sent by remote controller using provided RTL-SDR dongle
  • replay the recorded control commands using simple wire connected to Raspberry Pi GPIO, and disarm alarm
  • introduction to more advanced attacks on key rolling systems

8. Moreover

you will also be able to try:

  • open smart lock using special strokes of a strong magnet which turns the device’s inside motor
  • cheat fingerprint biometric sensor - we can make your own fingerprint clone during training
  • open voice-controlled lock by hacking nearby speaker-enabled device

Each student will receive:

  • course materials in PDFs (several hundred pages)
  • all required additional files: source code, documentation, installation binaries, virtual machine images on a pendrive
  • Hardware pack for hands-on exercises consisting of:
    • Bluetooth Smart hardware sniffer and development kit based on nrf51822 module
    • 2 Bluetooth Low Energy USB dongles
    • Raspberry Pi 3 (+microSD card and 3.1A power adapter), with assessment tools and Hackmelock installed for further practice at home.
    • NFC NXP PN532 board + “magic UID” card - which will allow to clone most common Mifare Classic contactless cards
    • RTL-SDR USB dongle


Register here:


comments powered by Disqus